Solved: Why am I getting multiple email notices per minute...

usbamuchmore · ‎12-19-2018

I have inherited a medium install of Splunk, and for the most part, I understand everything. But, a simple account locked alert is sending multiple, multiple email notices per minute, and I don't understand why. I'll include a screenshot so anyone who sees something let me know. The purpose is to check for real-time account lockouts and notify only once.

Vijeta · ‎12-19-2018

Probably its because of real-time alert. You can schedule it to run every 1 min for the window of last 60 seconds i.e. 1 minute.

View solution in original post

usbamuchmore · ‎12-19-2018

Perfect guys thank you!

richgalloway · ‎12-19-2018

In addition to the great answer from @Vijeta, turn on throttling. This keeps Splunk from generating additional alerts for the same event(s) for a period of time. To do that, click on the "Throttle" box, complete the form, and click Save.

---
If this reply helps you, Karma would be appreciated.

usbamuchmore · ‎12-19-2018

The throttling did it, thank you, guys!

Vijeta · ‎12-19-2018

Probably its because of real-time alert. You can schedule it to run every 1 min for the window of last 60 seconds i.e. 1 minute.

usbamuchmore · ‎12-19-2018

Ok good. Thank you, clearly, I'm very new to Splunk in general.

Why am I getting multiple email notices per minute from Splunk?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability